+-- On Tue, 16 Feb 2016, Gerd Hoffmann wrote --+
| > @@ -172,11 +172,18 @@ static void do_token_in(USBDevice *s, USBPacket *p)
| > assert(p->ep->nr == 0);
| > + if (s->setup_len > sizeof(s->data_buf)) {
| > + fprintf(stderr,
| > + "usb_generic_handle_packet: ctrl buffer too small (%d >
%zu)\n",
| > + s->setup_len, sizeof(s->data_buf));
| > + p->status = USB_RET_STALL;
| > + return;
| > + }
|
| Why this is needed? All control transfers go through do_token_setup
| first, so with the check moved in do_token_setup we should never ever
| trigger it here ...
usb_handle_packet
-> usb_process_one
-> do_token_in
Is it possible for a guest to call do_token_in, without calling
do_token_setup first? Most drivers seem to have their own 'usb_packet_setup'
routine. (to confirm)
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
